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Abstract 



Jji It was shown in [WST08] that cryptographic primitives can be implemented based on the 

assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the 

^^ universal task of oblivious transfer that can be implemented using quantum-key-distribution 

,_i (QKD) hardware in the practical setting where honest participants are unable to perform noise- 

^S^ free operations. We derive trade-offs between the amount of storage noise, the amount of noise 

Mh in the operations performed by the honest participants and the security of oblivious transfer 

which are greatly improved compared to the results in |WST08] . As an example, we show that 

for the case of depolarizing noise in storage we can obtain secure oblivious transfer as long as 

^ the quantum bit-error rate of the channel does not exceed 11% and the noise on the channel is 

^^ strictly less than the quantum storage noise. This is optimal for the protocol considered. Finally, 

'"^ we show that our analysis easily carries over to quantum protocols for secure identification. 

m 
> 
m 
m 1 Introduction 

en 

The noisy-quantum-storage model |WST08J is based on the assumption that it is difficult to store 

C^ quantum states. Based on current practical and near-future technical limitations, we assume that 

QQ any state placed into quantum storage is affected by noise. At the same time the model assumes 

^D that preparation, transmission and measurement of simple unentangled quantum states can be 

J> performed with much lower levels of noise. The present-day technology of quantum key distribu- 

'k> tion with photonic qubits demonstrates this contrast between a relatively simple technology for 

^ preparation/transmission/measurement versus a limited capability for quantum storage. 

^ Almost all interesting cryptographic tasks are impossible to realize without any restrictions 

on the participating players, neither classically nor with the help of quantum information, see 

e.g. |Lo97| May96[ ILC96| ILC97| May97| . It is therefore an important task to come up with a 



crj^tographic model which restricts the capabilities of adversarial players and in which these tasks 
become feasible. It turns out that all such two-party protocols can be based on a simple primitive 
called 1-2 Oblivious Transfer (1-2 OT) pGMl IGV88] . first introduced in ;W ie83[ iRaEsTj IE(;L85] . 
In 1-2 OT, the sender Alice starts off with two bit strings So and 5i, and the receiver Bob holds 
a choice bit C. The protocol allows Bob to retrieve Sc in such a way that Alice does not learn 
any information about C (thus. Bob cannot simply ask for Sc)- At the same time, Alice must be 
ensured that Bob only learns Sc, and no information about the other string Sq (thus, Alice cannot 
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Table 1: Summary of previous results and the results in this paper. The allowed quantum bit-error 
rate (QBR) is the maximum effective error-rate on the actions of the honest parties below which 
we can prove the security of the cryptographic scheme. 

simply send him both Sq and Si). A 1-2 OT protocol is called unconditionally secure when neither 
Alice nor Bob can break these conditions, even when given unlimited resources. 

2 Results 

In this work we focus on the setting where the honest parties are unable to perform perfect op- 
erations and experience errors themselves, where we analyze individual-storage attacks. These 
honest-party errors can be modeled as bit-errors on an effective channel connecting the honest 
parties. In unpublished work, we have shown that for the case of depolarizing noise in storage, 
security can be obtained if the actions of the honest parties are noisy but their error rate does not 
exceed 2.9% |WST07] . This threshold is too low to be of any practical value. In particular, this 
result left open the question whether security can be obtained in a real-life scenario. 

Using a very different analysis, we are now able to show that in the setting of individual-storage 
attacks 1-2 oblivious transfer and secure identification can be achieved in the noisy-storage model 
with depolarizing storage noise, as long as the quantum bit-error rate of the channel does not exceed 
11% and the noise on the channel is strictly less than the noise during quantum storage. This is 
optimal for the protocol considered. 

Our result is of great practical significance, since it paves the way to achieve security in a 



real-life implementation. Our main new Theorems 4.2 and 6.1 relate the security of the 1-2 OT 
protocol to an uncertainty lower bound on the conditional Shannon entropy. In order to prove 
these theorems, we need to relate the Shannon entropy to the smooth min-entropy and establish 



several new properties of the smooth min-entropy, see Section 3.2.1 



We evaluate the uncertainty lower bounds on the conditional Shannon entropy in the practically- 



interesting case of depolarizing noise resulting in Theorems 5.1 and 6.2 , From this analysis we obtain 



the clear-cut result that, depending on the amount of storage noise, the adversary's optimal storage 
attack is to either store the incoming state as is, or to measure it immediately in one of the two 
BB84 bases. 



2.1 The Noisy-Quantum-Storage Model and Individual-Storage Attacks 

The noisy-storage model assumes that any quantum state that is placed into quantum storage is 
affected by some noise described by a quantum operation M. Practically, noise can arise as a result 
of transferring the qubit onto a different physical carrier, for example the transfer of a photonic 
qubit onto an atomic ensemble or atomic state. In addition, a quantum state will undergo noise 



once it has been transferred into 'storage' if such quantum memory is not 100% rehable. 

In principle, one may like to prove security against an adversary that can perform any operation 
on the incoming quantum states. Here however we analyze the restricted case where the adversary 
Bob performs individual- storage attacks. More precisely, Bob's actions are of the following form as 
depicted in Figure [T} 

1. Bob may choose to (partially) measure (a subset of) his qubits immediately upon reception 
using an error-free product measurement, i.e., when he receives the jth qubit, he may apply 
any measurement Vj of his choosing. 

2. In addition, he can store each incoming qubit, or post-measurement state from a prior partial 
measurement, separately and wait until he gets additional information from Alice (at Step 3 
in Protocol 1). During storage, the jth qubit is thereby affected by some noise described 
by a quantum operation Mj acting independently on each qubit. Note that such quantum 
operation J\fj could come about from encoding an incoming qubit into an error-correcting 
code and decoding it right before receiving Alice's additional information. 

3. Once Bob obtains the additional information he may perform an arbitrary coherent measure- 
ment Ai on his stored qubits and stored classical data. 

We would like to note that we can also derive security if we would allow Bob to initially perform 
any, non-product, destructive measurement on the incoming qubits. By destructive we mean that 
there is no post- measurement quantum data left. The reason is that we have previously shown in 
Lemma 2 in |WST08J , that destructive product measurements are optimal for Bob if he is not al- 
lowed to keep any post-measurement information. Hence this optimality of product measurements 
reduces such more general destructive measurement model to our model of individual-storage at- 
tacks. Measurements in present-day technology with single photon qubits in which photons are 
detected, are in fact always destructive, hence our model includes many realistic attacks. Intu- 
itively, using entangling operations between the incoming qubits should be of little help in either 
extracting more information from these independent, uncorrelated, BB84 qubits or in better pre- 
serving these qubits against noise when the noise is extremely low and more is lost than gained by 
measuring some qubits right away and using part of the newly freed space to encode the remaining 
qubits. Of course this remains to be proven (see also Conclusion). What can help is to entangle an 
incoming qubit individually with ancilla qubits in order to store the incoming qubit in an encoded 
or other more robust form. This attack is covered in our model as an effective noisy operation J\fj 
on incoming qubit j. 

In the following, we use the quantum operation Si to denote the combined quantum operations 
of Bob's initial (partial) measurement and the noise. 

2.2 Related work 

Our model is closely related to the bounded-quantum-storage model, which assumes that the ad- 
versary has a limited amount of quantum memory at his disposal |DFSS05"| lDFR"'"07j . Within this 
'bounded-quantum-storage model' OT can be implemented securely as long as a dishonest receiver 
Bob can store at most n/4 — 0(1) qubits coherently, where n is the number of qubits transmitted 
from Alice to Bob. This approach assumes an explicit limit on the physical number of qubits (or 
more precisely, the rank of the adversary's quantum state). However, at present we do not know 
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Figure 1: Individual-Storage Attacks 



of any practical physical situation which enforces such a limit for quantum information. As was 
pointed out in [ Sch07| IDFSS08] , the original bounded-quantum-storage analysis applies in the case 
of noise levels which are so large such that the dishonest player's quantum storage has an effective 
noise- free Hilbert space with dimension at most 2"' '^. The advantage of our model is that we can 
evaluate the security parameters of a protocol explicitly in terms of the strength of the noise, even 
when the noise rate is very low. 

Precursors of the idea of basing cryptographic security on storage-noise are already present 
|BBCS92] . but no rigorous analysis was carried through in that paper. We furthermore note 



m 



that our security proof does not exploit the noise in the communication channel (which has been 
done in the classical setting to achieve cryptographic tasks, see e.g. [CK88| ICMW041 ICre97| ). but 
is solely based on the fact that the dishonest receiver's quantum storage is noisy. A model based on 
classical noisy storage is akin to the setting of a classical noisy channel, if the operations are noisy, 
or the classical bounded-storage model, both of which are difficult to enforce in practice. Another 
technical limitation has been considered in |Sal98 where a bit-commitment scheme was shown 
secure under the assumption that the dishonest committer can only measure a limited amount 
of qubits coherently. Our analysis differs in that we can in fact allow any coherent destructive 
measurement at the end of the protocol. 



2.3 Outline 

In Section |3j we introduce some notation and the necessary technical tools. In Section |4j we define 
the security of 1-2 OT, present the protocol and prove its security in the case when honest players 
do not experience noise. In Section [5] we then consider the example of depolarizing storage noise 
explicitly. The lengthy proof of Theorem |5.1| can be found in Appendix [Bj In Section [6] we show 
how to obtain security if the honest players are unable to perform perfect quantum operations. 



Finally, we point out in Section [7] how our analysis carries over to other protocols. 

3 Preliminaries 

We start by introducing the necessary definitions, tools and technical lemmas that we need in the 
remainder of this text. 

3.1 Basic Concepts 

We use G/j to denote the uniform random choice of an element from a set. We further use x\q' to 
denote the string x = xi, . . . ,Xn restricted to the bits indexed by the set T C {1, . . . , n}. For a 
binary random variable C, we denote by C the bit different from C. 

Let B(TC) denote the set of all bounded operators on a finite-dimensional Hilbert space TC. 
Let V{T-l) C I3{TC) denote the subset of positive semi-definite Hermitian operators on TC, and let 
S{TC) C V{TC) denote the subset of all quantum states on TC, i.e. p G S{TC) iff /? S B{TC) with p > 
and Tr(/o) = 1. Tta '■ B{TCab) — *■ B{TCb) is the partial trace over system A. We denote by '\6a the 
identity operator on system A. Let |0)+, |1)+, |0)x := (|0)+ + |l)+)/\/2, |l)x := (|0)+ - \l)+)/^/2 
denote the BB84-states corresponding to the encoding of a classical bit into the computational or 
Hadamard basis, respectively. 

Classical- Quantum States A cq- state pxE is a state that is partly classical, partly quantum, 
and can be written as 

PXE = ^ Px{x)\x){x\ (g) p% . 

Here, X is a classical random variable distributed over the finite set X according to distribution 
Px, {\x)}xex is a set of orthonormal states and the register E is in state p^^ when X takes on value 

X. 

Distance measures The Li-norm of an operator A S B{TC) is defined as ||^||i := Tiv A'^A. The 
fidelity between two quantum states p, a is defined as F{p, a) := || v^\/o"lli- For pure states it takes 
on the easy form F(|(/))((/)|, IV'XV'I) = I(</'|V')I- The related quantity C{p,a) := y^l — F'^{p, a) is a 
convenient distance measure on normalized states |GLN05j . It is invariant under purifications and 
equals the trace distance for pure states, i.e. CdV'XV'l) \4>){4'\) = \/l^ 



Non-uniformity We can say that a quantum adversary has little information about X if the 
distribution Px given his quantum state is close to uniform. Formally, this distance is quantified 
by the non-uniformity of X given pE = X^x Px{x)p^ defined as 



d{X\E) := 1 



\dx/\X\gpE-^Px{x)\x){x\(S)p% 



(1) 



Intuitively, d{X\E) < e means that the distribution of X is e-close to uniform even given pE, i.e., 
Pe gives hardly any information about X. A simple property of the non- uniformity which follows 
from its definition is that it does not change given independent information. Formally, 

d{X\E,D) = d{X\E) (2) 



for any cqq-state of the form pxED = PXE ® PD- 

3.2 Entropic Quantities 

Throughout this paper we use a number of entropic quantities. The binary- entropy function is 
defined as h{p) := —plogp — (1 — p) log(l — p), where log denotes the logarithm base 2 throughout 
this paper. The von Neumann entropy of a quantum state p is given by 

H(p):=-TV(plogp). 

For a bipartite state pab G <S{TIab), we use the shorthand 

R{A\B):=R{pAB)-ii{pB) 

to denote the conditional von Neumann entropy of the state pab given the quantum state pB = 
Tt:a{pab) £ S{'Hb)- Of particular importance to us are the following quantities introduced by 
Renner |Ren0 5 . Let pab £ S{7iAB)- Then the conditional min-entropy of pab relative to B is 
defined by the following semi-definite program 

Hoo(A|S)p:=-log min TY(CTij) . 

aBeViHB) 
PAB<'dA^O-B 

For a cq-state pxE one can show |KRS09] that the conditional min-entropy is the (negative loga- 
rithm of the) guessing probability F] 

Hoo(X|^)p = -logPguess(X|^)p, (3) 

where Pguess(-'^|-£')p is defined as the maximum success probability of guessing X by measuring the 
S-register of pxE- Formally, for any (not necessarily normalized) cq-state pxE, we define 

Pguess(X|E)p := sup VPx(x)Tr(M,p|), 

where the supremum ranges over all positive-operator valued measurements (POVMs) with mea- 
surement elements {Mx}x£X, i-e. Mx > and ^^ Mx = id^;. If all information in E is classical, we 
recover the fact that the classical min-entropy is the negative logarithm of the average maximum 
guessing probability. 

In our proofs we also need smooth versions of these entropic quantities. The idea is to no 
longer consider the min-entropy of a fixed state pab, but take the supremum over the min-entropy 
of states Pab which are close to pab, and which may have considerably larger min-entropy. In a 
cryptographic setting, we are often not interested in the min-entropy of a concrete state pab, but 
in the maximal min-entropy we can get from states in the neighborhood of pAB, i-e. deviating only 
slightly from the real situation pab- These smooth quantities have some nice properties which are 
needed in our security proof. For e > 0, the e-smooth min-entropy of pab is given by 

H^(A|S)^:= sup iioo{A\B)p, 

Pab'^IC^{pab) 

where /C^(pab) '■= {pab £ T^CHab) \ C{pab,PAb) < e and Tt{pab) < !)}• If the quantum states 
p are clear from the context, we drop the subscript of the entropies. 



^Such an "operational meaning" of conditional min-entropy can also be formulated for general qq-states |KRS09) . 



3.2.1 Properties of The Conditional Smooth Min-Entropy 

In our security analysis we make use of the following properties of smooth min-entropy First, we 



need the chain rule whose simple proof can be found in Appendix A.l 

Lemma 3.1 (Chain Rule) For any ccq-state pxYE G SiJ-ixYE) o-nd for all e > 0, it holds that 

B^l,{X\YE)>W^{XY\E)-\og\yi 
where \y\ is the alphabet size of the random variable Y . 



Secondly we prove the additivity of the smooth conditional min-entropy (see Appendix A.2): 



Lemma 3.2 (Additivity) Let pab cLnd pa'B' be two independent qq-states. For e > 0, it holds 
that 

rC {AA'\BB')^ < ff^ {A\B)+Rl, {A'\B') . 



Thirdly, adding a classical register can only increase the smooth min-entropy (see Appendix A.3 ): 



Lemma 3.3 (Monotonicity) For a ccq-state pxYE o-nd for all e > 0, it holds that 

W^[XY\E)>W^iY\E). 

At last, we deduce a lower bound on the conditional smooth min-entropy of product states. The 
following theorem is a straightforward generalization of Theorem 7 in |TCR08j (see also |Ren05| 
Theorem 3.3.6]) to the case where the states are independently, but not necessarily identically 
distributed. The theorem states that for a large number of independent states, the conditional 
smooth min-entropy can be lower-bounded by the conditional Shannon entropy. We note that 
it is a common feature of equipartition theorems for classical or quantum information that the 
assumption of i.i.d. sources can be replaced by the weaker assumption of non-i.i.d. but independent 



sources (see Appendix A. 4 for the proof). 



Theorem 3.4 (adapted from [TCR08"] ) Fori = 1, . . . ,n, let pi ^ S{Hab) be density operators. 
Then, for any e > 0, 

n 



n, 



1=1 



where, for n > I log -j , the error is given by 



(5(e,7) :=41og7Wlog^ 
and the single-system entropy contribution by 

7 < 2 max A/rank(/9yiJ -|- 1 . 
For the case of independent cq-states in Hilbert spaces with the same dimensions, we obtain 
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Corollary 3.5 For i = 1, . . . ,n, let pXiBi be cq-states over (copies of) the same space TCx ^ Ti-B- 



Then for every e > and n > ^ log -^ , 



where 5:= y^ ^°gy ^ 41og(2Vdim?t:x + 1)- 

We use the properties of the smooth niin-entropy to prove the foUowing two lemmas. These 
lemmas show that the (smooth) min-entropy of two independent strings can be split. 

Lemma 3.6 Let e > 0, and let PXqEot PXiEi be two independent cq-states with 

Additionally, let Sq,Si be classical random variables distributed over {0,1}. Then, there exists a 
random variable D S {0, 1} such that ^^^{Xj^D S d\EoEi) > a/2. 



Proof. From the additivity of smooth min-entropy (Lemma 3.2 ) it follows that we can split the 
min-entropy as 

ff^ (Xo|£;o) + ffoo (^il^i) > H^ {X^Xi\E^Ei) > a , 
and therefore, there exists D E {0, 1} such that 

RI,{Xj^DSd\EoEi) >a/2, 



where we used the monotonicity of smooth min-entropy (Lemma 3.3). □ 



Lemma 3.7 Let e > 0. Let pxE = ^^o PXiEi be a cq-state consisting of m independent cq- 

2 

substates such that H^ {XiXj\E) > a for all i ^ j- Then there exists a random variable V over 
{!,... ,m} such that for any v £ {!,..• ,m} with P[V^v] > 

H^ {X,\E,V, V^v)>a/2- log(m) . 

Proof. Let V £ {0, . . . ,m — 1} be the index which achieves the minimum of H^ (Xi\Ei), i.e. 



H^ (Xv\Ev) = minjH^ (Xi\Ei). By the additivity of smooth min-entropy (Lemma 3.2), we have 
for all v^V, 

a < ff^ {X^.Xv\E) < ff^ {X^,\E,) + H^ {Xv\Ev) . 

It follows that H^ {Xv\Ey, V j^ v) > a/2. The chain rule (Lemma |3.1[) then leads to the claim. □ 



3.3 Tools 

We also require the following technical results. This lemma is well-known, see |AS00j or |MP95) 
for a proof. 

Lemma 3.8 (Chernoff 's inequality) Let Xi, . . . , X„ be identically and independently distributed 
random variables with Bernoulli distribution, i.e. Xi = 1 with probability p and Xi = with prob- 
ability 1 — p. Then S := 'YM=i-^i ^^^ ^ binomial distribution with parameters {n,p) and it holds 
that 

Fi[\S-pn\ >en] < 26-^^"" . 



Privacy Amplification The OT protocol makes use of two-universal hash functions. These hash 
functions are used for privacy amplification similar as in quantum key distribution. A class J- of 
functions / : {0, 1}" — > {0, 1}^ is called two-universal, if for all x ^ y £ {0, 1}" and f £ J^ chosen 
uniformly at random from J^, we have Pr[/(j;) = f{y)] < 2~ |CW79j . The following theorem 
expresses how the application of hash functions can increase the privacy of a random variable X 
given a quantum adversary holding pE, the function F and a classical random variable U: 

Theorem 3.9 ( |Ren05l, |DFR"'"07| ) Let J^ be a class of two-universal hash functions from {0, 1}" 
to {0, ly. Let F be a random variable that is uniformly and independently distributed over T , and 
let pxuE be a ccq-state. Then, for any e > 0, 

d(F(A)|F, U, E) < 2-|(HL(^|t/i^)-^)-i + e . 

4 1-2 Oblivious Transfer 

4.1 Security Definition and Protocol 



In this section we prove the security of a randomized version of 1-2 OT (Theorem 4.2 ) from which 
we can easily obtain 1-2 OT. In such a randomized 1-2 OT protocol, Alice does not input two strings 
herself, but instead receives two strings 5*0, Si G {0, 1} chosen uniformly at random. Randomized 
OT (ROT) can easily be converted into OT. After the ROT protocol is completed, Alice uses her 
strings So, Si obtained from ROT as one-time pads to encrypt her original inputs ^o and Si, i.e. she 
sends an additional classical message consisting of So © 5*0 and Si © Si to Bob. Bob can retrieve the 
message of his choice by computing Sc © {Sc © Sc) = Sc- He stays completely ignorant about the 
other message S-^ since he is ignorant about Sq. The security of a quantum protocol implementing 
ROT is formally defined in jDFR+07] and justified in |F509] (see also |WW08] ^. 



Definition 4.1 An e-secure 1-2 ROF is a protocol between Alice and Bob, where Bob has input 
C £ {0, 1}, and Alice has no input. 

• (Correctness) If both parties are honest, then for any distribution of Bob's input C, Alice gets 
outputs So,Si G {0,1}^ which are e-close to uniform and independent of C and Bob learns 
Y = Sc except with probability e. 

• (Security against dishonest Alice) If Bob is honest and obtains output Y , then for any cheating 
strategy of Alice resulting in her state pA, there exist random variables S'q and S'l such that 
Pt[Y = S'q] > 1 — e and C is independent of Sq,S[ and pJq 

• (Security against dishonest Bob) If Alice is honest, then for any cheating strategy of Bob 
resulting in his state pB, there exists a random variable D G {0, 1} such that d[S-i^\SDDpB) < 
e. 

For convenience, we choose {-|-, x} instead of {0,1} as domain of Bob's choice bit C. We 
consider the same protocol for ROT as in |DFR^07] . 



^Existence of the random variables ^o, S\ has to be understood as foUows; given the cq-state pYA of honest Bob 
and dishonest Alice, there exists a cccq-state pys' s' a such that tracing out the registers of 5*0, S\ yields the original 
state pYA and the stated properties hold. 
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Figure 2: Bob performs a partial measurement Vi, followed by noise AA, and outputs a guess bit Xg 
depending on his classical measurement outcome, the remaining quantum state, and the additional 
basis information. 



Protocol 1 r |DFR+07p 1-2 ROT^ 

1. Alice picks X Er {0, 1}" and Q e_R {+, x}". Let Ih = {i \ Qi = b} for h £ {+, x}. At time 
t = 0, she sends |Xi)ei, • ■ • > l^n)e„ to Bob. 

2. Bob measures all qubits in the basis corresponding to his choice bit C G {+, x}. He obtains 
outcome X' G {0,1}". 

3. Alice picks two hash functions F-^-,Fx £r T, where T is a class of two-universal hash 
functions. At the reveal time t = Trev; she sends Ij^,Ix, F^,Fx to Bob. Alice outputs 
5+ = F+(X|jJ and Sx = Fx {X^j^ ) Q 

4. Bob outputs Sc = Fc{X!j ). 



4.2 Security Analysis 



We show in this section that Protocol [T] is secure according to Definition 4.1 in case the dishonest 
receiver is restricted to individual-storage attacks. 



Correctness First of all, note that it is clear that the protocol fulfills its task correctly. Bob can 
determine the string X\j^ (except with negligible probability 2~" the set Iq is non-empty) and 
hence obtains Sc- Alice's outputs 5+, Sx are perfectly independent of each other and of C. 



Security against Dishonest Alice Security holds in the same way as shown in |DFR"'"07 . As 
the protocol is non-interactive, Alice never receives any information from Bob at all, and Alice's 
input strings can be extracted by letting her interact with an unbounded receiver. 



Security against Dishonest Bob Proving that the protocol is secure against Bob requires more 
work. Our goal is to show that there exists a D £ {-\-, x} such that Bob is completely ignorant 



about S-p. 



Recall that in round i, honest Alice picks Xi G/j {0, 1} and @i G/j {-|-, x} and sends 1-^^4)0, to 
dishonest Bob. Bob can subsequently do a partial measurement to obtain the classical outcome Ki 
and store the remaining quantum state in register Ei which is then subject to noise (see Figure^. It 



If X\x^ is less than n bits long Alice pads the string X^j^ with O's to get an n bit-string in order to apply the 
hash function to n bits. 
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is important to note that Bob's initial partial measurement does not depend on the basis information 
@. Since we are modeling individual-storage attacks, the overall state (as viewed by Bob) for Alice 
and Bob right before time Trcv is of the form 



PXBKE = [^ PXiSiKiE, 



with 



Px,e,K,E, " 4 ^ ^fc,|x,e, \xi){xi\ (g) \ei){9i\ (g) \ki){ki\ (gMi (/jjej , (5) 



•^ii^i ii^i 



Gi Ki 



Ei 



where we use Xi to denote Alice's system corresponding to her choice of bit Xi, Qi for the system 
corresponding to her choice of basis 0j, and Ki and Ei for Bob's systems corresponding to the clas- 
sical outcome ki (with probability PkAxiBi) of his partial measurement and his remaining quantum 
system respectively. 

It is clear that a dishonest receiver will have some uncertainty about the bit Xj, given that 
he either measured the register E without the correct basis information and that storage noise 
occurred on the post-measurement quantum state. To formalize this uncertainty, let us call t an 
uncertainty lower hound on the conditional Shannon entropy if, for all i = 1, . . . , n, we have 

ll[X,\Q,K,Ei) = H(px,e,i^,i?J - H(/>e.x.Ej >t. (6) 

The parameter t thereby depends on the specific kind of noise in the quantum storage. In Section |5] 
we evaluate the uncertainty lower-bound t for the case of depolarizing noise. 

The following theorem shows that as long as £ < tn/4, the protocol is secure except with 
probability e. Since we are performing l-out-of-2 oblivious transfer of i-b\t strings, I corresponds 
to the "amount" of oblivious transfer we can perform for a given security parameter e and number 
of qubits n. In QKD, I corresponds to the length of the key generated. 



if n > ^ log -^ and 



Theorem 4.2 Protocol^is 2£-secure against a dishonest receiver Bob according to Definition \4.1 
flog I 

i<\{t-6)n+^--log(-^ 



where 6 = 8y/log{2/e^)/n, and t is the uncertainty lower bound on the conditional Shannon entropy 
fulfilling Eq. ([g]). 

Proof. We need to show the existence of a binary random variable D such that Sq is e-close 
to uniform from Bob's point of view. As noted above, the overall state of Alice and Bob before 
time Trev has a product form. After time T^cv, dishonest Bob holds the classical registers 0,-fC, 
the quantum register E as well as classical information about the hash functions i<+ , -Fx • To prove 



security, we first lower-bound Bob's uncertainty about X in terms of min-entropy, use Lemma 3.6 
to obtain D and then apply the privacy amplification theorem. 



First of all, we know from Corollary 3.5 that the smooth min-entropy of an n-fold tensor state is 



roughly equal to n times the von Neumann entropy of its substates. Hence, applying Corollary |3. 5 
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to our setting with Bi := QiKiEi and log(2Y/dim'Hx, + 1) = log(2-v/2 + 1) < 2 we obtain for 

ra > I log ^ that 

n 

H^ {X\QKE) > Y,^{Xi\eiKiEi) -5n>(t- 5)n , 

with 5 = S^J\ag{2/£^)/n. We used Equation Ml) in the first inequahty and the last follows by 
Definition ([6| of the uncertainty bound t. 

For ease of notation, we use X_|_ and Xy^ to denote X\j and X\j^ , the sequences of bits X 

where Gj = + and 0j = x, respectively. From H^ {Xj^Xx\QKE) > {t — 6)n and Lemma 
follows that D G {+, x} exists such that 

Rl,{XT^DSD\eKE)>it-6)-. 



3.6 



it 



The rest of the security proof is analogous to the derivation in |DFR^07 : It follows from the chain 



rule (Lemma 3.1) and the monotonicity (Lemma |3.3[ ) of the smooth min-entropy that 
ff^ {Xj^IQDSdKE) > ff^ {Xj^DSdIOKE) -{i+1) 

71 

>{t-5)--l-L 



The privacy amplification Theorem 3.9 yields 

d{F-^{X^) I QFdDSdKE) < 2-|((*-^)t+i-2^) + £ (7) 

which is smaller than 2e as long as 

(i_5)- + --£>log(^- 

from which our claim follows. □ 

We note that one can improve on the extractable length i by using a quantum version of Wullschleger 's 

distributed-privacy-amplification theorem |Wul07 . Since this technique is specific to oblivious 



transfer and does not apply to our extension to the case of secure identification, we do not go into 
the details here. 

5 Example: Depolarizing Noise 

In this section, we consider the case when Bob's storage is affected by depolarizing noise as described 

by the quantum operation 

JH 

M{p)=Tp-r{\-T)-. (8) 

Depolarization noise will leave the input state p intact with probability r, but replace it with the 
completely mixed state with probability 1 — r. In order to give explicit security parameters for 
this setting, our goal is to prove an uncertainty bound t for the conditional von Neumann entropy 
II(Xj|0ji('j£'j) as in Eq. (Im). Exploiting the symmetries in the setting, we derive in Appendix [B] 
the following result. We drop the index i in this Theorem. 
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Theorem 5.1 Let M be the depolarizing quantum operation given by Eq. (Is]) and let Yi{X\QKE) 
be the conditional von Neumann entropy of one qubit. Then 

mX\QKE) > I ^^^^ forr>r, 
^ ' I 1/2 forr<r, 

where r := 2h-\l/2) - 1 ^ 0.7798. 

Our result shows that when the probabihty of retaining the input state p is small, r < 0.7798, 
the best attack for Bob is to measure everything right away in the computational basis. For this 
measurement, we have Il(X\@KE) > 1/2. If the depolarizing rate is low, i.e. r > 0.7798, our result 
says that the best strategy for Bob is to simply store the qubit as is. 

Our result may seem contradictory to our previous error trade-off obtained in |WST07] , where 
Bob's best strategy was to either store the qubit as is or measure it in the Breidbart basis depending 
on the amount of depolarizing noise. Note, however, that the quantity we optimize in this work is the 
von Neumann entropy and not the guessing probability considered in |WST07j . This phenomenon 
is similar to the setting of QKD, where Eve's strategy that optimizes her guessing probability is 
different from the one that optimizes the entropy [GRTZ02J . In general, the von Neumann entropy 



is larger than the min-entropy (which corresponds to the guessing probability). Corollary 3.5 
provides the explanation why the von Neumann entropy is the relevant quantity in the setting of 
individual-storage attacks. 

6 Robust Oblivious Transfer 

In a practical setting, honest Alice and honest Bob are not able to perform perfect quantum 
operations or transmit qubits through a noiseless channel. We must therefore modify the ROT 
protocol to make it robust against noise for the honest parties. The protocol we consider is a small 
modification of the protocol considered in |Sch07j . The idea is to let Alice send additional error- 
correcting information which can help honest Bob to retrieve Sc as desired. The main difficulty 
in the analysis of the extended protocol is the fact that we have to assume a worst-case scenario: 
If Bob is dishonest, we give him access to a perfect noise- free quantum channel with Alice and he 
only experiences noise during storage. 

We can divide the noise on the channel into two categories, which we consider separately: 
First, we consider erasure noise (in practice corresponding to photon loss) during preparation, 
transmission and measurement of the qubits by the honest parties. Let 1 — Perase be the total 
probability for an honest Bob to measure and detect a photon in the {-|-, x}-basis given that 
an honest Alice prepares a weak pulse in her lab and sends it to him. The probability Perase is 
determined, among other things, by the mean photon number in the pulse, the loss on the channel 
and the quantum efficiency of the detector. In our protocol we assume that the erasure rate perase 
is independent for every pulse and independent of whether qubits were encoded or measured in the 
-|— or X -basis whenever Bob is honest. This assumption is necessary to guarantee the correctness 
and the security against a cheating Alice only. Fortunately, this assumption is well matched with 
the possible physical implementations of the protocol. 

Any other noise source during preparation, transmission and measurement can be characterized 
as an effective classical noisy channel resulting in the output bits X' that Bob obtains at Step [s] of 
Protocol |2j For simplicity, we model this compound noise source as a classical binary symmetric 
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channel acting independently on each bit of X. Typical noise sources for polarization-encoded 
qubits are depolarization during transmission, dark counts in Bob's detector and misaligned po- 
larizing beam-splitters. Let the effective bit-error probability, called the quantum bit-error rate in 
quantum key distribution, of this binary symmetric channel be perror < 1/2. 

6.1 Protocol 

In this section we present the modified version of the ROT protocol. Before engaging in the actual 
protocol, Alice and Bob agree on a small enough security-error probability e > that they are 
willing to tolerate. In addition, they determine the system parameters Perase and terror similarly 
to Step 1 of the protocol in |BBCS92] . Furthermore, they agree on a family {Cn} of linear error- 
correcting codes of length n capable of efficiently correcting n ■ Permr errors |Cre97] . For any string 
X £ {0, 1}", error-correction is done by sending the syndrome information syn{x) to Bob from 
which he can correctly recover x if he holds an output x' G {0, 1}" obtained by flipping each bit of 
X independently with probability Perror- It is known that for large enough n, the code Cn can be 
chosen such that its rate is arbitrarily close to 1 — /i(pcrror) and the syndrome length (the number 
of parity check bits) is asymptotically bounded by \syn[x)\ < h{perror)n |Cre97] . We assume that 
the players have synchronized clocks. In each time slot, Alice sends one qubit to Bob. 

Protocol 2 Robust 1-2 ROT^{C,T,e) 

1. Alice picks X £n {0, 1}" and Q £r {+, x}". 

2. For i = 1, . . . ,n: In time slot t = i, Alice sends \Xi)Q,^ as a phase- or polarization- encoded 
weak pulse of light to Boh. 

3. In each time slot, Boh measures the incoming quhit in the hasis corresponding to his choice 
hit C £ {+,x} and records whether he detects a photon or not. He ohtains some hit-string 
X' G {0, 1}™ with m<n. 

4. Boh reports hack to Alice in which time slots he received a quhit. Alice restricts herself to the 

set of m < n hits that Boh did not report as missing. Let this set of quhits he Sremain with 

I o I 

I '-'remain I — '^• 

5. Let Zf) = {i £ S'remain | ©i = ^} for b £ {-\-, x} and let mi = \L\\. Alice ahorts the protocol if 
either ra^^ or m^ are outside the interval [{l—perase — £)n/2,{l—perase + £)n/2]. If this is not 
the case, Alice picks two two-universal hash functions F+,Fx £r T . At time t = n -|- Tj-ev, 
Alice sends T+jTx, F-^,Fx, and the syndromes syn{X\j^) and syn{X^j^) according to codes 
of appropriate length rrib to Boh. Alice outputs 5+ = F^(Xn,) and Sx = Fx{Xij,^). 

6. Boh uses syn{X\j^) to correct the errors on his output X',j . He ohtains the corrected hit- 
string XcoT <ind outputs S'q = Fc{Xcor). 

6.2 Security Analysis 

Correctness By assumption, Perase is independent for every pulse and independent of the basis 



in which Alice sent the qubits. Thus, by Chernoff's Inequality (Lemma 3.8), S'remain is, except with 



negligible probability, a random subset of m qubits independent of the value of and such that 
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(1 — Perase — £)'n < m < (1— Perase + e)n . This implies that in Step |5] the protocol is aborted 
with a probability only exponentially small in n. The codes are chosen such that Bob can decode 
except with negligible probability. These facts imply that if both parties are honest, the protocol 
is correct (i.e. Sc = S'q) with exponentially small probability of error. 

Security against Dishonest Alice Even though in this scenario Bob does communicate to 
Alice, the information about which qubits were erased is (by assumption) independent of the basis 
in which he measured and thus of his choice bit C. Hence Alice does not learn anything about his 
choice bit C. Her input strings can be extracted as in the analysis of Protocol [T] 

Security against Dishonest Bob We prove the following: 

Theorem 6.1 Protocol^ is secure against a dishonest receiver Bob with error of at most 2e, if 
'T' > I log T and 



£"* 



Tl Tt 1 / 1 \ 

l<{t-5- /l(perror)) (1 " Perase)^ ~ ^ 2 "^ 2 ~ ^°^ V j ' ^^'' 

where 5 = 8-\/log(2/e^)/((l — Pcrasc — £)'T'); a^c? t is the uncertainty bound on the conditional Shan- 
non entropy fulfilling Eq. ([6| . 

Proof (Sketch). First of all, we note that Bob can always make Alice abort the protocol by 
reporting back an insufficient number of received qubits. If Alice does not abort the protocol in 
Step [5| we have that (1 — perase — £)n/2 < m^, rux < (1 — Perase + £)n/2. We define D as in the 
security proof of Protocol [T] The security analysis is the same, but we need to subtract the amount 
of error correcting information \syn{X\j—)\ from the entropy of the dishonest receiver. If Alice does 
not abort the protocol in Step [51 we have that \syn{X\j_)\ < /i(perror)(l — Perase + £)n/2. Hence, 



H^^ i^Xjj\eFDDSDsyn{X\j_)KE'^ 

> H^ (^Xj^DSDsyn{X\j_)\@FDKEJ - {i + 1) - h{p,„,,)m/2 

> {t- 5){l- Pcrase " e)n/2 - (^ + 1) - /l (^Jerror ) ( 1 " Perase + e)n/2 - 1 
>{t- 5- /l(perror)(l " Perase)n/2 - (t - 6 + /l(perror)) Sn/2 -I- i, 



<2 



where {t — 5 + /i(pcrror)) < 2 since t < 1. Using this inequality to bound the security parameter via 
the privacy amplification Theorem 3.9 gives the claimed bound on i, Eq. ([9|. □ 



Remarks Note that it is only possible to choose a code C that satisfies the stated parameters 
asymptotically. For a real — finite block-length — code, deviations from this asymptotic behavior 
need to be taken into account. For the sake of clarity we have omitted these details in the analysis 
above. Secondly, the dishonest parties need to obtain an estimate for Perror prior to the protocol. 
One approach would be to use a worst case estimate based what is possible with present-day 
technology. Alternatively, one could follow Step 1 of the protocol in | BBCS92| as suggested above. 
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However, one needs to analyze this estimation procedure in a practical setting. Thirdly, when 
weak photon sources are used in this protocol, one needs to analyze the security threat due to the 
presence of multi-photon emissions which Bob can exploit in photon-number-splitting attacks as in 
QKD. See |WST07] for a first discussion of the effect of such attacks. 

6.3 Depolarizing Noise 

As an example, we again consider the security trade-off when Bob's storage is affected by depolar- 



izing noise. It follows directly from Theorems 3.9 6.1 and 5.1 that 



Corollary 6.2 Let M be the depolarizing quantum operation given by Eq. (^. Then the protocol 
can be made secure (by choosing a sufficiently large n) as long as 

h ( ^— j > /l(Perror) for T >f, 

1/2 > /l(pcrror) for T <f, 

where r := 2h-^{l/2) - 1 ^ 0.7798. 

Hence, our security parameters are greatly improved from our previous analysis |WST07J . For 
r < f we can now obtain security as long as the quantum bit error rate Perror ^ 0.11, compared 
to 0.029 before. For the case of r > f, we can essentially show security as long as the noise on 
the channel is strictly less than the noise in Bob's quantum storage. Note that we cannot hope to 
construct a protocol that is both correct and secure when the noise of the channel exceeds the noise 
in Bob's quantum storage. However, it remains an open question whether it is possible to construct 
a protocol or improve the analysis of the current protocol such that security can be achieved even 
for very small n. 



Corollary 6.2 puts a restriction on the noise rate of the honest protocol. Yet, since our protocols 
are particularly interesting at short distances (e.g. in the case of secure identification we describe 
below), we can imagine free-space implementations over very short distances such that depolar- 
ization noise during transmission is negligible and the main noise source is due to Bob's honest 
measurements. 

In the near-future, if good photonic memories become available (see e.g. (JSC"'"04( |BBM"'"07| 
ICMJ+OS] lEAM+OSl lRBV+07] IPF02| for recent progress), we may anticipate that storing the qubit 



is a better attack than a direct measurement. Note, however, that we are free in our protocol to 
stretch the reveal time Trev between Bob's reception of the qubits and his reception of the classical 
basis information, say, to seconds, which means that one has to consider the overall noise rate on 
a qubit that is stored for seconds. 

In terms of long-term security, fault- tolerant photonic computation (e.g., with the KLM scheme 
|KLMOl] ) might allow a dishonest Bob to encode the incoming quantum information into a fault- 
tolerant quantum memory. Such an encoding would guarantee that the effective noise rate in 
storage can be made arbitrarily small. The encoding of a single unknown state is not a fault- 
tolerant quantum operation however. Hence, even in the presence of a quantum computer, there is 
a residual storage noise rate due to the unprotected encoding operation. The question of security 
then becomes a question of a trade-off between this residual noise rate versus the intrinsic noise 
rate for honest parties. Intuitively, it might be possible to arrange the setting such that tasks of 
honest players are always technically easier (and/or cheaper) to perform than the ones for dishonest 
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players. Possibly, this intrinsic gap can be exploited for cryptographic purposes. The current paper 
can be appreciated as a first step in this direction. 

7 Extension to Secure Identification 

In this section, we like to point out how our model of noisy quantum storage with individual-storage 
attacks also applies to protocols that achieve more advanced tasks such as secure identification. 
The protocol from jDFSSOT] allows a user U to identify him/herself to a server S by means of a 
personal identification number (PIN) . This task can be achieved by securely evaluating the equality 
function on the player's inputs. In other words, both U and S input passwords Wu and Ws into 
the protocol and the server learns as output whether Wu = Ws or not. The protocol proposed 
in [DFSS07) is secure against an unbounded user U and a quantum-memory bounded server S in 
the sense that it is guaranteed that if a dishonest player starts with quantum side information 
which is uncorrelated with the honest player's password W, the only thing the dishonest player 
can do is guess a possible W' and learn whether W = W' or not while not learning anything more 
than this mere bit of information about the honest user's password W. This protocol can also be 
(non-trivially) extended to additionally withstand man-in-the-middle attacks. 

The security proof against a quantum-memory bounded dishonest server (and man-in-the- 
middle attacks) relies heavily on the uncertainty relation first derived in DFR"'"07j and used for 



proving the security of 1-2 OT. This uncertainty relation guarantees a lower bound on the smooth 
min-entropy of the encoded string X from the dishonest player's point of view. As we establish a 



similar type of lower bound (Cor. 3.5 and Eq. ([6])) on the smooth min-entropy in the noisy-storage 
model, the security proof for the identification scheme (and its extension) translates to our model. 
In terms of the proof of Proposition 3.1 of |DFSS07] . the pair Xi,Xj has essentially t ■ d bits of 
min-entropy given 0, K, and -E, where t is the uncertainty lower bound on the conditional Shannon 
entropy from Eq. (|6| and d is the minimal distance of the code used in the identification scheme. 



Lemma 3.7 implies that there exists W' (called V in Lemma 3.7) such that if W ^ W' then Xy\r 
has essentially td/2 — log(m) bits of min-entropy given W, W' , Q, K, E. Privacy amplification then 
guarantees that F{X\\r) is e'-close to uniform and independent of F, W, W' , Q, K, E, conditioned on 
W 7^ W' , where e' = ^'^^^^^ ' ~ °sv'^)~ ). Security against a dishonest server with noisy quantum 
storage follows as in |DFSS07] for an error parameter e which is exponentially small in td—2 log(m) — 
2i. 

8 Conclusion 

We have obtained improved security parameters for oblivious transfer in the noisy-quantum-storage 
model. Yet, it remains to prove security against general coherent noisy attacks. The problem 
with analyzing a coherent attack of Bob described by some quantum operation S affecting all his 
incoming qubits is not merely a technical one: one first needs to determine a realistic noise model in 
this setting. Symmetrizing the protocol as in the proof of QKD |Ren05j and using de Finetti type 
arguments does not immediately work here. However, one can analyze a specific type of coherent 
noise, one that essentially corresponds to an eavesdropping attack in QKD. Note that the 1-2 OT 
protocol can be seen as two runs of QKD interleaved with each other. The strings /(xij^) and 
/(^IXx ) ^^'^ then the two keys generated. The noise must be such that it leaves Bob with exactly 
the same information as the eavesdropper Eve in QKD. In this case, it follows from the security 
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of QKD that the dishonest Bob (learning exactly the same information as the eavesdropper Eve) 
does not learn anything about the two keys. 

Clearly, there is a strong relation between QKD and the protocol for 1-2 OT, and one may 
wonder whether other QKD protocols can be used to perform oblivious transfer in our model. 
Intuitively, this is indeed the case, but it remains to evaluate explicit parameters for the security 
of the resulting protocols. 

It will be interesting to extend our results to a security analysis of a noise-robust protocol in a 
realistic physical setting, where, for example, the use of weak laser pulses allows the possibility of 
photon-number-splitting attacks. Such a comprehensive security analysis has been carried out in 
|GLLP04| for quantum key distribution. 
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A Appendix: Properties of The Conditional Smooth Min-Entropy 

In this Appendix we provide the technical proofs of the Lemmas and the Theorem in Section |3.2.1[ 
We restate the claims for convenience. 



A.l Proof of Lemma 3.1 (Chain Rule) 

Lemma A.l (Chain Rule) For any ccq-state pxYE S S(TCxye) cLnd for all e > 0, it holds that 

Rl,iX\YE) >Rl,iXY\E) -log\y\, 

where \y\ is the alphabet size of the random variable Y . 

Proof. For e = 0, it follows from Eq. ([3]) that we need to show that 

1 

13^1 • 



Pguess(^^l^) > P^uessiX\YE) ■ — . (10) 



For a given value y, let {Mx}x be the POVM on register E which optimally guesses X given Y. A 
particular strategy of guessing X and Y from E is to guess a value of y uniformly at random from 
3^ and subsequently measure E with the POVM {Mx}x- The success probability of this strategy is 



exactly the r.h.s of (10). Clearly, the optimal guessing probability Pguess(-'^^|-£') can only be better 
than this particular strategy. For e > 0, let pxYE £ K,'^{pxye) be the state in the e-ball around 
PXYE that maximizes the min-entropy H^ {XY\E). The technique from Remark 3.2.4 in |Ren05| 
can be used to show that pxYE is a ccq-state. By the derivation above for e = 0, we obtain that 

1 

W\ 



Pguess(^^|-£')p ^ Pgncss[X \YE)p 



>_ min Pg,,33(X|yi?)^ . ^ , 

which proves the lemma by taking the negative logarithms and using Eq. ([3|. □ 
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A. 2 Proof of Lemma |3.2| (Additivity) 



To show additivity of the smooth min-entropy we will employ semidefinite programming, where 
we refer to [BV04 for in-depth information. Here, we will use semidefinite programming in the 
language of |KRS09] to express the primal and dual optimization problem given by parameters 
c G Vi and 6 G V2 in vector spaces Vi and V2 with inner products (•,•)! and (•, •)2- We will 
optimize over variables vi G Ki and V2 G K2, where Ki C Vi and K2 C V2 are convex cones in 
the respective vector spaces. In our application below, these will simply be the cones of positive- 
semidefinite matrices. We can then write 

7P™^l= min(«i,c)i and 7'^"'^^ = max (5, t>2)2, (H) 

■ui>0 '«2>0 

Avi>b A*V2<c 

where ^ : Vi ^ V2 is a linear map defining the particular problem we wish to solve. We use 
A* : V2 ^ Vi to denote its dual map satisfying 

(^^1,^2)2 = {vi,A*V2)i for all vi G Vi,f2 G V2 . 

Note that we have -)/P''i™^i > ^fi^ai ^^y ^gg^j^ duality. In this case our SDPs will be strongly feasible, 
giving us 1?'"'™'^! = ^duai ifnown as strong duality. Our proof is based on the same idea as |WST07l 
Lemma 2] applied to the smoothed setting. We thank Robert Konig for allowing us to include the 
following. 

Lemma A. 2 (Additivity (Konig and Wehner)) Let pab <ind pa'B' be two independent qq- 
states. For e > 0, it holds that 

yC {AA'\BB') < ff^ {A\B)+Rl, {A'\B') . 

Proof. In order to prove additivity, it is important to realize that the smooth conditional 
min-entropy can be written as semi-definite program: 

Rl,iA\B) = ^ max Roo{A\B)p 

PAB<^rCHpAB) 

= max —log min Ti^as) (12) 

Pab&IC^{pab) f^B>0 

PABC>0 
idA®o-S>/3AS 

= — log min Tr((7B) . (13) 

PABC>0 

Pab<^I^Hpab) 

idiA^f^B>PAB 

where as G ViTis) throughout. Let \'4')abc be a purification of pab- Then, all states pab S 
K^'^iPAs) can be obtained by an extension pabc ^ such that Tt:{pabc) < 1) and Tt:{pabc\'^abc){''Pabc\) > 
1 — 6 with 6 = e'^. Therefore, we can write 

Rl,{A\B) = -log min Ti{aB) , 

Ii{/3ASclV'ASC>(^AScl)>l-'5 

i>Tr{pAsc) 

idA^^B>PAB 
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where the minimum is taken over all as G ViTiB) and pabc G 'P{T~(-ABc), which is a semi-definite 
program (SDP). Our goal will be to determine the dual of this semidefinite program which will 
then allow us to put an upper bound on the smooth min-entropy as desired. 

We now first show how to convert the primal of this semidefinite program into the form of 



Eq. (11). Let Vi = Herm('HB) ©Herm('HyiBc) where Herm(7Y) is the (real) vector space of Hermi- 
tian operators on 7i. Let Ki C Vi be the cone of positive semi-definite operators. Let c = '\diB(BOABC 
where Oabc is the zero-operator on TCabc- Let the inner product be defined as (u i, f']^)i = Tt:{vIv'i). 
Note that this allows us to express our objective function as 

{ctb © PABC, c)i = Tr(crB) . 

It remains to rewrite the constraints in the appropriate form. To this end, we need to define 
V2 = M © M © Herm('Hyi) © Herm('HB), K2 C V2 the cone of positive semi-definite operators and 
take the inner product to have the same form (^2, ^2)2 = '^{'^I'^'i)- ^^ then let 6 € V2 be given as 

b = {l-6)(B{-l)(B0AB , 
and define the map 

A{aB © pabc) = T^T^iPABcli^ABcXipABcl) © (-Tr(pABc)) © (idA © o-fi - pab) ■ 

Note that vi = as (B Pabc ^ and A{vi) > b now exactly represent our constraints. 

We now use this formalism to find the dual. Note that we may write any V2 G V2 with ^2 > 
as ^2 = r © s © Qab where Qab £ ViTiA © Ti-s) and r, s G M. To find the dual map A* note that 

{Avi,V2)2 = rTv{pABc\i>ABc){'4^ABc\) " sTl{pABc) + TT{QABi}<^A ®CFb- PAb)) 

= rTh:{pABc\'^ABc){'>pABc\) - sTr(pABc) + ^{Qb(^b) - Ti{{Qab © idc)/5ABc), 
and we therefore have 

A*{v2) = (Ob © r\iPABc){'^ABc\) - {s\dABc) + {Qb © Oabc) - (Os © Qab © idc) , 



which is all we require using Eq. ( 11 ). To find a more intuitive interpretation of the dual note that 
A*{v2) < c is equivalent to 

ids > Qb , (14) 

Qab © idc > r\ipABc){ipABc\ - s\dABC , (15) 

and {b, ^2)2 = ''(1 — S) — s. The dual can thus be written as 

7^"'^' = max r(l-5)-s . 

r>0,s>0 
'dB>QB 

QAB&dc>r\4lABc){i'ABc\-s\dABC 

We now use the dual formulation to upper bound the smooth min-entropy of the combined 
state PAB © PA'B' and parameter d by finding a lower bound to the dual semidefinite program. 
Let 7(<5) denote the optimal solution of the dual of the SDP for the combined state for error 6. 
For each individual state, we may solve the above SDP, where we let Qab^^ and s denote the 
optimal solution for state pab with parameter 5 and optimal value 7(5), and let Qa'B','''' and s' 
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denote the optimal solution for state pa'B' with parameter 6' and optimal value ^{5'). We now 
use these solutions to construct a solution (not necessarily the optimal one) for the combined state 
PAB ® PA'B'- Let Q = Qab ® Qa'B'i ^ = ff' and s = rs'il — 5) + sr'{l — 6') — ss'. Note that rs' > 
and r'(l — 5') — s' > for the optimal r' , s' and hence 

r>0 , s>0 , 

id_BB' > QbB' , 
QaA'BB' '^ idcC" > {r \TpABc){tpABc\ - S \dABc) ® {r' \'>pA'B'C'){lpA'B'C'\ " S \dlA'B'C') 
> r \iJABc){lpABc\ '^ \'4'A'B'C'){lpA'B'C'\ -si^ABC '^ idA'B'C , 

and thus Q is indeed a feasible solution for the combined problem. Choosing 6 as 

S = S + 5' -66' 



we have 



We hence obtain 



For 6 = 6', we have 



7(J) >r{l-6)-s = 7(<5)7'(5') 



y^( A\n\ _L W^/5'/ 



HV^(A|i?)<H^^(A|S)+H^^(A'|S') 



6 = 26-6^>6'^ . 
Putting everything together we thus have 

RUMb) < R^\A\B)+R^'{A'\B') , 
from which the result follows since 6 = e'^. □ 



A. 3 Proof of Lemma 3.3 (Monotonicity) 

Lemma A. 3 (Monotonicity) For a ccq-state pxYE o,nd for all e > 0, it holds that 

Rl,{XY\E)>Rl,{Y\E). 

Proof. For e = 0, the lemma follows from Eq. ([3|, that is, guessing XY from E is harder than 
guessing only Y from E and therefore, Pguess(-'^^l-E') < Pguess(^l-E')- 

For e > the idea behind the argument is similar. Let the maximum in H^ (^l-^') be achieved 
by a density matrix pye, i-e. H^ {y\E) = Hoo(^|-E)p such that C{pye, Pye) < e and Tt{pye) < 1. 
Remark 3.2.4 in [RenOSj shows that pye is a cq-state. We can express this min-entropy in terms 
of the guessing probability, Eq. ([s]) , and thus 

ff^ {Y\E), = -logP,^Uy\E)pyE < -logPguess(Xy|i?)p,,, , (16) 
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where pxYE is any ccq-state which has pye as its reduced state, i.e Trx(/5xy_B) = Pye- Now 
we would Uke to show that one can choose an extension pxvE such that C{pxYE, Pxye) = 
\/\^^^^F{pxYEhl>XYE^ < e and Tt{pxye) < 1- If we can determine such an extension, we can 



upper-bound the r.h.s. in Eq. (16) by H^ {XY\E) which is the supremum of — logPguess(-'^^|-£') 
over states in the e-neighborhood of pxYE- This would prove the Lemma. 

Let \^)xYEC be a purification of pxYE and hence also a purification of pye- By Uhlmann's 
theorem (see e.g. |NCOO] ). we have for the fidelity F{pye, Pye) between pye and pye that 

F{pye,Pye) = ,^max m^')\ := F(|M/)(M/|, \if)m , 

where \^)xyec is the purification of pye achieving the maximum. The monotonicity property of 
the fidelity under taking the partial trace gives 

Fm{%\4^)m < F{T^cm{^),T^cm{^\)) = F{pxye,Pxye) , 

where pxYE '■= T^ci\^XYEc){^XYEc\)- Hence 

\/l -e^ < F{pYE, pye) < F{pxYE, Pxye) , (17) 

and therefore, C{pxYE, Pxye) < £• If "^(pxye) > 1, it follows that also Tr{pYE) > 1 which 
contradicts the assumption. Therefore, it must be the case that Tt[pxye) ^ 1- 
It remains to show that pxYE is a ccq-state. Because of 

F{pye,Pye) = Fm{^l\^){^\) 

< F{T:tc{\^){^\),TTcm{M)) = F{pxye,Pxye) < F{pye,Pye) , 

these quantities are all equal and in particular, we could do a measurement on the X-register of 
Pxye without increasing the fidelity. Hence, we can assume the optimal purification \'^xyec){'^xyec\ 
is such that pxYE is a ccq-state. □ 



A. 4 Proof of Theorem 13.41 

Theorem A. 4 For i = 1, . . . ,n, let pi ^ S(7iAB) be density operators. Then, for any e > 0, 



ff^ {A-\B-)^n^^^^ > Y, mMB^)p^ - 6{e,^)V^, 



4 = 1 



where, for n > I log -^ , the error is given by 



(5(e,7):=41og7A/log^ 



£2 



and the single-system entropy contribution by 



7 < 2 max Wrank(/9yiJ -|- 1 . 
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Proof. The proof is analogous to the proof of Theorem 7 in |TCR08j . For convenience, we point 
out where their proof needs to be adapted. We need the fohowing definitions. Let W^^ be a copy 
of TLab and let I7) := ^^ \i) \i) be the unnormalized fully entangled state on TCab'^T~(-'ab- Define 
the purification \(j)) := {^/pab ® idyls) I7) of pab and let 1 < a < 2, /3 := a — 1, and X := pab '^ 
{\dA^ Pb )^- The conditional a-entropy is defined as Ila{A\B)p\„ := j^ logTr(p^^(idyi®(7B)"'^~"). 
The authors of |TCR08j prove the following lower bound 

RaiA\B)p\p > HiA\B)p - -^i'PlMXM) , (18) 

where r'/3(t) := t^ — /51nt — 1. 

Let p = p\^ ... p'ab- Then, as in Equation (27) of |TCR08| . we have 

ff^ {A-\B-)^ > H^ (A"|i?")^|^ > H„(A"|i?")p|^ - ^ ^°S I 

" 12 

= Y,^o.{A\B)p.\p.--log^ 

> X: {ii{A\B)p. - ^{<t>\r,{X^M)) - ^log| , (19) 



where we used (18) in the last step. 

Let us define the single-system entropy contributions 7* := {(p\VX'^ + 1/vX* + id|(/)) of which 
we know that they are all > 3 and let 7max be the largest of them. By choosing an appropriate 
/i > such that 

1/51 n 1 

p = ^ — A/ i — ^"^i^ 



2/i^ V 8 2 log 7max \ 4 ' 2 log 7ma 

we can bound 

^ MMX'M) < ^log2(y) < ^log'(7max) 



/31n2 P\/n P\/n 



Therefore, we can further lower bound ( 19 ) as 

2 



ff^ {A^\B^)^ > Y, H{A\B)p, - E ^ log'(7max) - 2^Vnlog 

> Y, H{A\B)p. -2^[- log2(7^ax) + ^log - 
i=i ^^ ^ 



£2 



and the rest of the derivation goes as after Equation (28) in |TCR08] . 

In order to obtain the upper bound on 7, we notice that H;^/2(^l-S)p|p ^ Hi/2{A)p < Ho{A)p = 
log(rank(/9A)). □ 



B Appendix: Proof of Theorem |5.1 
B.l Setting the Stage 



We use the symmetries inherent in our problem to prove Theorem 5.1 in a series of steps. 
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Theorem B.l Let M he the depolarizing quantum operation given by Eq. ([8| and let Yi{X\QKE) 
he the conditional von Neumann entropy of one quhit. Then 

H(x|ei^^) > I J^"?) ^'''^{^ 

^ ' ^ - [ 1/2 forr<r, 

where f := 2h-^{l/2) - 1 « 0.7798. 

In order to prove the theorem, we find Bob's strategy which minimizes }i(X\QKE) as a function of 
the depolarizing noise parameter r. As depicted in Figm'e|2] in each round the dishonest receiver 
Bob receives one of the four possible BB84 states pxe at random. On such state he may then perform 
any (partial) measurement M given by measurement operators M = {F^} such that ^^i. F^F^ = id. 
For clarity of notation, we do not use a subscript to indicate the round i as in the Figure. We 
denote by E the register containing the renormalized post-measurement state 

k,M _ FkPxfiF^, 

Pxe ~ „ ' 

Pk\xe 

to which the depolarizing quantum operation J\f is applied. Here 

Pt\x9 = -^(FkPxeFl) 

is the probability to measure outcome k when given state pxe- We omit the superscript M if it is 
clear which measurement is used. Note that we may write 

PxBk — ^Pk\xe 1 

J^P^ek = Pel = \t^ {Pk {Poe + Pie) fI) = ^Tr(F,Ft) , 

X 

and 

M _ Pk\xe 
Px\ek - 4^M • 

Here we have used the fact that Alice chooses the basis and bit in each round uniformly and 
independently at random. 

First of all, note that for a cq-state pye = Yly PY{y)\y){y\ ^ Py , the von Neumann entropy can 
be expanded as 

R{YE) =R{Y) + yPy{y)R{p^) . 






Using this expansion, we can write 
R{X\QKE)m = R{XQKE)m - ii{&KE)M 



= ii{XeK)M + yp%,il{Af {plf)) -ii{eK)M -Y^P^lillAf [Y.P%,plf] 

xdk 0k \ \ X J 

= ^{xm)M + E^.1.H (aa (p^^^)) - Y^p^,^ (e*^ {p"x^)] ■ (20) 

xek ek \ X ) 

We use the notation ^[{.{X\QKE)m to emphasize that we consider the conditional von Neumann 
entropy when Bob performed a partial measurement M. In the following, we use the shorthand 

B(M) :=H(A|eK^)M- 
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B.2 Using Symmetries to Reduce Degrees of Freedom 

Our goal is to minimize B(M) over all possible measurements M = {Fk} as a function of r. We 
proceed in three steps. First, we simplify our problem considerably until we are left with a single 
Hermitian measurement operator over which we need to minimize the entropy. Second, we show 
that the optimal measurement operator is diagonal in the computational basis. And finally, we 
show that depending on the amount of noise, this measurement operator is either proportional to 
the identity, or proportional to a rank one projector. 

First, we prove a property of the function B{M) for a composition of two measurements. 
Intuitively, the following statement uses the fact that if we choose one measurement with probability 
a and another measurement with probability (3 our average success probability is the average of 
the success probabilities obtained via the individual measurements: 

Claim 1 Let F = {Fk}k=i '^^^ G = {GkYj^^^^i ^^ ^^^ measurements. Then, for < a < 1 and a 
combined measurement M = aF + (1 — a)G := {\/a-^fc}fc=i U {\/l — aCfej^^^.-^, we have 

B(aF + (1 - a)G) = aB(F) + (1 - a) B(G) . 

Proof. Let F = {Fk})^^i and G = {Gjt}^^^ be measurements, < a < 1 and let M : = 

{^Fu]Uyj{./l^aGu]it'f+v 

It is easy to verify that we have the following relations for 1 < fc < /: p*^^ = ap^^i^, P%ek ~ 

"Pfflfc _ r,^ „M _ F J k,M _ aFkP^eFl _ F^p^gFl _ k,F , analnp-mislv for f -H < 

Q,pF - P^iek^ Pk\xe - ^Pk\xe ^"^t p^g - ^m - ^f - P^e ^^^ analogously loi / + i s 
k<f + g. 



We consider the three summands in Eq. ( 20 ) separately. For the first term we get 

R{x\eK)M = Y.pghU;, 



ek 



f f+9 

Yl Yl "^Pekh (po\ek) +Y1 5^ (^ ~ ")^el./i [Pom 
fc=i e k=f+i 

aR{X\QK)F + (1 - a) R{X\eK)G ■ 



For the second term, we obtain 
YP^ek^{-^{p'J'))=»T.EP^ekii{M{plf))+{l-a)Y E P^ekii{-^{pt 

xdk x9 k=l xe k=f+l 

The third term yields 



f+9 

k,G 



Y.Poi^[Ep'm^{p'f)] 

ek \ X / 

= »T.T.pok^iY.p^mJ^{ptf)]+(^--)T. E p.%.HfEpg..AA(,^f) 

e k=i \ X / e k=f+i \ X 



u 



We can now make a series of observations. 
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Claim 2 Let M = {Fk} and G = {id, X, Z, XZ}. Then for all g e G we have B(M) = BigMg"!). 

Proof. First of all, note that for all g €z G, g can at most exchange the roles of and 1. That is, 
we can perform a bit flip before the measurement which we can correct for afterwards by applying 
classical post-processing. Furthermore, since g € G is Hermitian and unitary we have 

p^f ^' = ^-TT{gF,g\poe + Pio)9^Flg) = \tt{F,fI) = vt , 
and hence there exists a bijection / : {0, 1} -^ {0, 1} such that 

i'x\ek ~ ^f{x)\ek ■ 



Again, we consider the three summands in Eq. (20) separately. For the first term, observe that 

0k 9k 

To analyze the second term, note that we can write 



H(x|eK),^,t = EPok"^ (4i ) = Y.P> (Pm) = H(x|ei^)M 



PxOk — Pf(x)ek ' 

and for depolarizing noise M [UpW) = UM{p)U\ in addition the von Neumann entropy itself 
is invariant under unitary operations ii{gj\f{p)g^) = H(AA(p)). Putting everything together, we 
obtain 

x9k x9k 

By a similar argument, we derive the equality for the third term 



Y.PII'' H E^^.?/^ {pT'') = Epei H E4..^ {p'J 



;P9k^ [l^PxW \f^^^' 

9k \ X ' 'J 9k 



U 



Claim 3 Let G = {id,X, Z, XZ}. There exists a measurement operator F such that the minimum 
ofB{M) over all measurements M is achieved by a measurement proportional to {gFg' \ g G G}. 

Proof. Let M = {Ff.} be a measurement. Let K = \M\ be the number of measurement operators. 
Clearly, M = {Fg^k} with 

Fg,k = ^gFkg^ , 

is also a quantum measurement since Yliq kFq ^Fg^k = id- It follows from Claims 1 and 2 that 
B(M) = B(Af). Define operators 

Ng,k = I =gFkg^ . 

'2Tr{FlFk) 
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Note that 

9&G yj2TT{FlFk) n,t,e{0,l} 

(see for example Hayashi |Hay06| ) . Hence M^ = {-/V^^} is a valid quantum measurement. Now, 
note that M can be obtained from Mi, . . . , M^ by averaging. Hence, by Claim [ij we have 

B(M) = B(M) > minB(Mfc) . 

k 

Let M* be the optimal measurement. Clearly, m = B(M*) > min,fcB(M^) > m by the above and 
Claim [2] from which the present claim follows. □ 

Finally, we note that we can restrict ourselves to optimizing over positive semi-definite (and 
hence Hermitian) matrices only. 

Claim 4 Let F he a measurement operator and M = {gFg^\g € G} the associated measurement. 
Then there exists a Hermitian operator F such that B(M^) = B(M-^). 

Proof. Let F^ = FU be the polar decomposition of F\ where F is positive semi-definite and U 
is unitary |HJ851 Corollary 7.3.3]. Evidently, since the trace is cyclic, all probabilities remain the 
same. Using the invariance of the von Neumann entropy and the depolarizing quantum operation 
under unitaries, the claim follows. □ 

Note that Claim [3] also gives us that we have at most 4 measurement operators. Wlog, we 
take the measurement outcomes to be labeled 1,2,3,4 and measurement operators Fi = F,F2 = 
XFX,F^ = ZFZ^Fi = XZFZX. Our final observation is the following easy claim. 

Claim 5 For any linear operator F on Hilbert space 7i and any state \(j)) G TC such that F\(j)) ^ 0, 
it holds that the operator P := rry |?^j^^' is a projector with rank(P) = 1. 

Proof. Notice that |(?!))((/>| Ft F| (/>)((/> | = Tr (F| (/>)((/. | Ft )|(/))( 01 . Thus 

^ F\cPMF^F\cPMF^ ^ F|0)(0|Ft ^ 
TV(F|0)((^|Ft)2 TV(F|(/))(,/.|Ft) 

As F|(/>) / we have that rank(F|(/>)((/>|Ft) = 1. D 

Exploiting our observations, we can considerably simplify the expression B{M) to be minimized: 
Lemma B.2 Let B(M) he defined as above. Then 

minB(M) = min C(F), 

M F 

where the minimization is taken over Hermitian operators F £ C^^^ and C{F) is defined as 

C{F) = \{h{2T, {Fpo+F)) + h{2TT (Fpo^F))) + h (^) -R{M {2F')) . (21) 
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Proof. First of all, note that 



Pek = Poek +Piek = tTt (F^ (poe + Pie) Fk) = j^iF"^) , 



which is independent of k. Thus we have 

fc=i 

and hence pgk = |- Furthermore, as in the proof of Claim ^ there exists a bijection / : {0, 1} 
{0, 1} such that 

Pxek Tr {FkPxeFk) /4 r,rTV/77 T? \ nrrx. fl? 77\ 

Px\ek = = 77^ = 2 Tr [FkPxeFk] = 2 Tr [Fpf^x)QF} . 

Pek 1/8 

Note again that h{pMQf^ = h{p^Lj^. We then obtain for the first term 

H(X|eK) = Y.PekKpo\ek) 
ek 



Y,lh{2Tt{FkPoeFk)) 



ek 
= ^{h{2Tt{Fpo+F)) + h{2TT{Fpo,,F))) . 

For the second term, we need to evaluate }i{Af{p^g)). It follows from Claim p^ that ii Pxek > 0, 
the normalized post- measurement state p^g has eigenvalues and 1. Applying the depolarizing 
quantum operation to such rank 1 state gives an entropy }i{J\f{p^g)) = /i((l + r)/2), independent 
of the state. Thus the second term becomes 

^p,ekii[^f[pxe)) =Z]^-efc^(^) =^(^)- 
xek xek V / V / 

For the third term, we use that for < a < 1, it holds that M{ap + {1 — a)a) = aM{p) + (1 — 
a)AA(o"). Hence, 



Po\ek-^ [poe) + Pi\ek-^ [pw) = ^ (po\ekPw + Pi\ekp\e 



FkPoeFl , ^^{^ _ A FkPieFl 



AT 2 Tr (FkPoeFi) '^'' \ + 2 TV (FkPwFl 

^ ^ ^Tt(FkPoeFl) ^ ^Tt(FkPieFl 

: AA ( 2Fk{poe + Pie)^ 



= UkM{2F^)ul 
where Uk G G. The third term then yields 



Y,Pek^(T.P-m^f{p'xe)] =H(AA(2F2)) . 



These arguments prove the Lemma. □ 
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B.3 F is Diagonal in the Computational Basis 

Now that we have simphfied our problem considerably, we are ready to perform the actual opti- 
mization. We first show that we can take F to be diagonal in the computational (or Hadamard) 
basis. 



Claim 6 Let F € C^^^ be the Hermitian operator that minimizes C{F) as defined by Eq. (21). 
Then F = a\(p){(p\ + /5(id — \(p){4>\) for some a,(3 £ M. and pure state |0) lying in the XZ plane of 
the Bloch sphere, (i.e. Tt{FY) = 0). 

Proof. Since -F is a Hermitian on a 2-dimensional space, we may express F as 

F = a\(t>M+m^){<t>^\, 

for some state \(j)) and real numbers a,/3. We first of all note that from Ylk^kFk = id, we obtain 
that 

Y, Ti{FkFk) = Yl Tr{gFgg^Fg^) = 4 Tr{F^) = TY(id) = 2 , 

k ge{\d,X,Z,XZ} 

and hence Tr(F^) = a^ + /3^ = 1/2. Furthermore, using that 10X01 + |(/> )(0 | = id gives 

F = a\<t>M+P{\d-\<t>M), (22) 



with f3 = \/l/2 — o?. Hence without loss of generality, we can consider < a < l/v2. The 
eigenvalues of 2F^ are lo? and 1 — 2o? . Hence, the third term of C(F) becomes H(AA(2F^)) = 
hi^ro? + (1 — ?')/2) which does not depend on |0). We want to minimize 

min -(/i(2 TY(Fpo+i^)) + h{2 Tr{Fpoy<F))) + /i((l + r)/2) - h{2ra^ + (1 - r)/2) . (23) 
F 2 

We first parametrize the state |0) in terms of its Bloch vector 

\d + xX + yY + zZ 



Since 10) is pure we can write y = Vl — x^ — z^. Note that we may wlog assume that < x, z < 1, 
since the remaining three measurement operators are given by XFX, ZFZ, and XZFZX. A small 
calculation shows that for the encoded bit x G {0, 1} 

2Tr (Fp^+F) = ^ {1 + i-iriAa' - l)z) , 

and similarly 

2 It (Fp^^F) = 1(1 + (-l)"(4a2 - l)x) . 

Our goal is to show that for every < a < l/\/2i the function 

f{z):=h{2Tt{Fp,+F)) 
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is non-increasing on the interval < z < 1. First of all, note that f{z) = 1 for a = 1/2. We 
now consider the case of a 7^ 1/2. A simple computation (using Mathematica) shows that when 
differentiating / with respect to z we obtain 



dx^' ln2(i2(i_4Q,2)2_i) 

Hence the function has one maximum at 5 = with /(O) = 1. Since < q < l/\/2 and a 7^ 1/2 
we also have that (1 — 4a^)^ < 1 and hence f"{z) < everywhere and / is concave (though not 
strictly concave). Thus f{z) is decreasing with z. 

Since we have Sp' + z^ + •if' = 1 v^e can thus conclude that in order to minimize C(-F), we want 
to choose X and z as large as possible and thus let y = from which the claim follows. □ 

We can immediately extend this analysis to find 



Claim 7 Let F he the operator that minimizes C{F), and write F as in Eq. 22 Then 

\^)=9\^). 
for some g G {id, X, Z, XZ}. 
Proof. By Claim [6J we can rewrite our optimization problem as 

minimize (/(x) + f{z))/2 + /i((l + r)/2) - h{2ra'^ + (1 - r)/2) 
subject to x^ + 52 = 1 

< X < 1 

< z < 1. 

By using Lagrange multipliers we can see that for an extreme point we must have either x = z = 
l/\/2 or X = 0,z = 1 or z = 0,x = 1. From the definition of / above we can see that to minimize 
the expression, we want to choose the latter, from which the claim follows. □ 



B.4 Optimality of the Trivial Strategies 

We have shown that without loss of generality F is diagonal in the computational basis. Hence, we 
have only a single parameter left in our optimization problem. We must optimize over all operators 
F of the form 

F = a\ct)M + 7172^^10^X0^1 , 

where we may take |0) to be |0) or |1). Our aim is to show that either F is the identity, 01 F = \4>){4>\ 
depending on the value of r. 

Claim 8 Let F be the operator that minimizes C{F), and let rp := 2h^'^ (j) — 1. Then F = c\6 
(for some c ^M.) for r > tq, and F = \4'){<p\ for r < tq, where 

for some g G {id, X, Z, XZ}. 
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Proof. We can plug x = and z = 1 m the expressions in the proof of our previous claim. Thus 
our goal is to minimize 

1 /i^r\ 

t{r, a) :=-(!+ ^(1, a)) + h I -^— j - g{r, a) , 



1+r . 2 



where 

g{r, a) := /i ( — ^ 2a''r 

Differentiating g with respect to a gives us 



— 5(r, a) = Aar ( log ( — 2a^r j - log ( — h 2a^r 

with which we can easily differentiate t with respect to a as 

|^t(r,a) = i|-5(l,a)-|-5(r,a). 

We can calculate 

d 
lim 7^— ifr, a) = 
o^o oa 

and 

At(r,l/2)=0. 

We thus have two extremal points. By computing the second derivative which is equal to 8(2r^ — 
l)/ln2 at the point a = 1/2, we can see that as r grows from to 1, the second extreme point 
switches from a maximum to a minimum at r = l/\/2. Our goal is thus to determine for which r 
we have 

t(r,0) < t(r, 1/2). 

Note that shortly after the transition point r = l/v2, we do obtain two additional maxima, but 
since we are interested in finding the minimum they do not contribute to our analysis. By plugging 
in the definition for t from above, we have that t(r, 0) < t{r, 1/2) iff 



2 - V 2 

or in other words iff 

2/.-Q)-l<r, 

as promised. □ 

We conclude that Bob's optimal strategy, -the one which minimizes H{X\QKE)-, is an ex- 
tremal strategy, that is, he either measures his qubit in the computational basis, or he stores the 
qubit as is. This is the content of Theorem |5.1[ We believe that a similar analysis can be done for 
the dephasing quantum operation, by first symmetrizing the noise by applying a rotation over 7r/4 
to the input states. 
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